ARCHITECTURE FOR SERVING AND MANAGING INDEPENDENT ACCESS 


DEVICES 


TECHNICAL FIELD 

The present invention relates an improved architecture for managing multiple independent 
computer users from a common data center. The architecture is particularly applicable in situations 
wherein multiple substantially independent groups of devices and their users use services from and 
are managed from a single data center, such as may be implemented when a company outsources its 
information technologies (IT) needs rather than maintaining an IT department. The present 
invention is more generally applicable to providing services from a service provider to multiple 
independent serviced entities. 

BACKGROUND OF THE INVENTION 

Most businesses have a full set of computer related needs. For example, a business may need 
Internet access, software updates, hard disk maintenance, etc. Often businesses have plural servers 
and printers, as well as other peripherals, connected to a network within an office. 

Most computer networks are managed by either an in house information technologies (IT) 
department, or for smaller businesses, an independent computer consultant. The IT department or 
computer consultant handles all day to day maintenance, software updates, archiving, etc. of the 
entire computer network in an office environment. 

It is possible to save significant costs by outsourcing the management of computer 
capabilities. The outsourcing model permits a single data center service provider to utilize the most 
advanced and presumably expensive hardware and software, which would not be economically 


feasible for a smaller office environment. By distributing the cost of such expensive hardware and 
software over numerous independent customers, and by sharing the resource, each customer can 
have the use of the best available security, data backup capabilities, etc. For example, a firewall can 
be implemented that is far more secure, better tested, and more comprehensive than any firewall that 
5 a single small office could afford. 

One issue faced by such a data center service provider that provides services to numerous 
independent customers is that of separation and security between the customers. An example of the 
problem is described with respect to Fig. 1. 
q A server "forest" 102 located at a data center 100 serves to supply configuration, 

tm management, software support and services to plural different customers 110, 120, 130, and 140. 
J :J The server forest is denoted as a single triangle, but may represent a network of servers that meet the 
I ~ definition of a forest as explained below and as is known to those in this art. The customer networks 
U 1 10, 120, 130 and 140 are termed "customer forests", also as that term is known in the art. 
f y A forest is defined as a collection of one or more active directory trees organized as peers 

l|f and connected by two-way trust relationships between the root domain of each tree. A domain is 
typically used to refer to collections of one or more computers and users within a single security 
grouping which are administered as a group. Forests and domains are terms used regularly by those 
of skill in the art, and are defined in a variety of literature published by Microsoft and other market 
participants. A forest may also be thought of as a collection of one or more domains that create a 
20 single security boundary and management entity. 

The architecture shown in Fig. 1 provides that a remote server 102 may provide various 
types of data services, configuration, management and numerous other services typically required of 
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such systems, to the client computers located in each independent customer network or forest 1 10, 
120, 130 and 140. Data services that are typical of those provided may also include e-mail, dial up 
access, back-up, anti-virus software, telephony functions, and other similar related functions 
typically provided in such environments. Configuration and management services such as 
monitoring operability of the various client computers in various customer sites, software 
distribution, management, password management, security, and access control, etc. are also 
contemplated. 

One problem encountered with the use of a remote server to handle multiple independent 
customers is mamtaining separation and security among the various customer sites. More 
specifically, the architecture of Fig. 1 makes it possible for one of the customers to discover the 
identity of other customers, and their workstations, servers and other devices, and possibly access 
data by hacking into another customer's site through the server forest 1 02. Accordingly, in order to 
give plural customers the assurance that their identity and data will be maintained separate from 
other customers of the data center, it is important that adequate separation and security be maintained 
at the server forest 102. 

In order for the server to provide the appropriate services, a trust may be setup so that the 
server forest 102 trusts the client forest 1 10, 120, 130, or 140. In this manner, server forest 102 can 
provide appropriate services to clients 104-108 with full confidence in their identity. However, in 
order for the clients 1 04- 1 08 to accept software updates, configuration and management commands, 
etc. from server forest 102, the clients 104 through 108 must trust the server 102. Accordingly, a 
two-way trust would be required. 

The two-way trust results in a compromise of security and separation. More specifically, if 


the client forests (e.g.,1 10, 120) trust server forest 102, and the server forest trusts the client forests, 
then it is possible through the use of a "transitive trust" for the client forests to affect one another 
through the server forest 102. 

In view of the foregoing, there exists a need in the art for an improved method and apparatus 
for maintaining security and separation among various client forests when connected to a common 
server forest. 

There also exists a need in the art for a technique to provide a set of data services (e.g. shared 
files backup, remote access, any virus support, etc.) to a plurality of independent client forests and 
for providing configuration and management of the client forest (e.g. monitoring, software 
distribution, password and security management, etc.) without compromising the separation among 
the plural forests. 

There also exists a need in the art for providing the authentication typically given by trusts in 
a manner that avoids the problem of a transitive trust being used by one client forest to compromise 
the separation and security maintained by the server forest. 

SUMMARY OF THE INVENTION 

The above and other problems of prior art are overcome in accordance with the present 
invention which relates to an improved method and apparatus for providing remote data center data 
services and configuration and management services to a plurality of independent customers, without 
compromising security or separation. The invention includes defining a predetermined one way 
relationship, separating services wherein the relationship runs from the service provider to the 
serviced entity from services wherein the relationship runs from the serviced entity to the service 


provider, and preferably providing the latter services from a different one or more computers than 
those from which the former services are provided. 

In accordance with a preferred exemplary embodiment the invention, the services provided 
by the data center are divided into two categories: Data Services and Configuration and Management 
Services. Data services represent items such as remote access, dial in, shared files, etc. In general, 
data services represent remotely provided services that are desired by the various entities. The 
configuration and management services represent functionality such as monitoring and software 
distribution, configuration and management of the various client computers, password and access 
control, security, etc. In general, configuration and management services represent remote ways of 
monitoring, configuring, and updating various client computers. Typically, such configuration and 
management services are scalable, but this is not a requirement. 

"Trusts" are a defined term to those skilled in the art, and generally allow users of one 

domain to access services in another domain. Microsoft® Corporation defines a trust as follows: 

"TRUST RELATIONSHIP: A trust relationship allows users and global groups from 
another user account database to be used. It is a link between domains that enables 
pass-through authentication, in which a trusting domain honors the logon 
authentications of a trusted domain. With trust relationships, a user who has only 
one user account in one domain can potentially access the entire network. User 
accounts and global groups defined in a trusted domain can be given rights and 
resource permissions in a trusting domain, even though those accounts do not exist in 
the trusting domain's directory database." 

In simpler form, a trust is generally recognized in the industry as a relationship between two 
sets of computers (e.g. domains) that allows users in one of the sets of computers to access resources 
in another set of computers in a secure way. 

In accordance with the exemplary embodiment of the invention, the data services and 


configuration and management services are divided into two separate forests, each of which may 
comprise one or more servers. The forests are operated by a service provider that provides IT 
services to plural unrelated entities, such as various companies that outsource their IT requirements. 

A first trust is established so that the data services forest trusts each of the clients 5 forest, and 
a second trust is established such that each of the clients trusts the configuration and management 
forest. In a preferred embodiment, the data services forest also trusts the configuration and 
management forest. 

By the foregoing arrangements of trusts, and as shown in further detail with respect to the 
detailed description below, no client forest trusts another forest which itself trusts a different client 
forest. Thus, the problem of transitive trusts being used by one client forest to identify or possibly 
access or corrupt another client forest is eliminated. 

In an additional embodiment, a service provider implements a method of dividing services to 
be provided to third parties into two categories. A first category includes services that require that 
the serviced entity trust the service provider. The second category includes those services that 
require that the service provider trust the serviced entity. First category services are provided from 
one forest or set of computers, and second category services are provided another forest or set of 
computers. Optionally, the computers providing the first set of services are trusted by those 
providing the second set of services. The arrangement of trusts helps avoid any problems caused by 
transitive trusts. In more general embodiments, the trust need not be utilized, but instead, any one 
way relationship may be employed, as described more fully below. 

The above and other details and objects of the invention will become clearer upon review of 


the following drawings and detailed description of the preferred embodiment. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 shows a prior art arrangement wherein the server forest is connected to plural client 
forests; and 

Fig. 2 shows a conceptual block diagram of an exemplary embodiment of the present 
invention 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT 

Fig. 2 shows a block diagram of exemplary embodiment of the present invention. The 
arrangement of Fig. 2 includes a server forest 202 and management and configuration forest 204, as 
well as an exemplary set of client forests 206 -211. Each of the client forests 206-2 1 1 may include a 
variety of servers, peripherals, client computers, etc. The service forest and management and 
configuration forest 202 and 204, respectively, would typically include plural servers. The links 
221-226 and 231-236 represent trusts, wherein the arrows indicate which forests trust each other. 
More specifically, link 221, for example, indicates that service forest 202 trusts client forest 206. 
Link 233 indicates that client forest 208 trusts management and configuration forest 204. 

We first note that there are no two-way trusts. Moreover, every client forest (e.g. 207) trusts 
the configuration and management forest 204. However, management and configuration forest 204 
does not trust the service forest 202. As a result of the relationship of the trusts among the forests, 
there is no possibility for a transitive trust to be used for one of client forests 206-21 1 to identify or 
possibly access or corrupt a different client forest. The use of such one way relationships makes it 


impossible for one of the forests 206-2 1 1 to learn the identity of, or to access or corrupt, other ones 
of the forests 206-211. 

In operation, service forest 202 provides relevant services to the client forests 206-211. 
These services may include, but are not limited to, telephony, anti- virus protection, remote access, 
dial -in services, backup of files, e-mail hosting and forwarding, etc. The architecture of the service 
forest will be described in more detail below. 

The configuration and management forest provides services such as, for example, 
monitoring, software updates, software distribution, security, and password management. 

If an exemplary client forest 208 receives a software update from the configuration and 
management forest 204, the client forest 208 can trust the authenticity and validity of the software 
update, because of the trust relationship indicated as 233. 

Notably, the exemplary embodiment above describes separation of the management and 
configuration forest from the service forest. However, the concept of the interrelationship of the 
relevant trusts may be extended. More specifically, a service provider providing services to 
multiple independent entities must engage in numerous interactions between itself and the 
entities managed and serviced. The interactions can be classified into two groups: (1) Those that 
require that the entity accepting services or management trust the service provider; and (2) those 
that require that the service provider trust the entity or group being serviced or managed. By 
splitting the functionality along such lines, and separating the trustee forest (the forest that is 
required to trust a different entity) from the trusted forest, (i.e. the forest that is trusted by another 
entity) the transitive trust problem is avoided. 

It can also be appreciated from Figure 2 that it is possible to provide a trust such that the 


service forest 202 trusts the management forest 204. By providing such a relationship, the 
management forest can also manage the service forest to ensure proper configuration, software 
updates, etc. 

Figure 2 also depicts the connection of the services forest 202 to a network. Such a 
connection permits telephone services, web hosting, email, etc. to be implemented. The 
connection shown to the network may connect to a telephone network, a data network, or both. 
Preferably, both an Internet connection and a Public Switched Telephone Network (PSTN) 
connection would be present. 

It is also notable that the trust relationship can be replaced with one or more other types 
of relationships in order to achieve substantially the same result. For example, a certificate tree, 
access control list, or a predetermined token that must be possessed by an entity accessing 
another entity may be utilized. Whatever the predetermined relationship, the remote service 
provider is arranged such that the predetermined relationship is one way, and such that a 
separation of services is implemented. Services where the relationship flows from the service 
provider to one or more serviced entities form a first set of services, and services where the 
relationship flows from the serviced entities to the service provider form a second set of services. 

The first and second sets of services are then provided from different servers or different server 
forests, or by securely separated software on the same server(s). 

Moreover, it is noted that while remote IT services are used herein for exemplary 
purposes, the invention is not limited thereto. Any type of situation wherein services are 
provided to a plurality of users may benefit from the separation of services wherein a one way 
relationship flows from the serviced entity to the servicing entity, from services where the one 


way relationship flows from the servicing entity to the serviced entity. Other examples include 
telephony services, plural mobile users of a wireless service, various business and organizational 
units, unified messaging, voice mail services, etc. 

While the above describes the preferred embodiment of the invention, various other 
modifications and additions will be apparent to those of skill in the art. For example, while we 
describe herein a situation wherein each customer site is a separate forest containing one domain, 
that need not be the case. The forest can span multiple customer sites, and can have multiple 
domains. These and other modifications are intended to be covered by the following claims. 
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